This is a question that you'll have to clearify with your data protection officer.
The background is the following: If you process personal data, you are responsible to have contracts with the sub-processors that bind them (a) not to do evil with this data and (b) to allow you to olige to the rights of the people whose data you process.
The issue with www.soscisurvey.de: We store backups for 12 months (unfortunately, a few students tend to losing their thesis research data...), and its nearly impossible (and would be incredibly expensive) to remove a single record from these records. Now, imagine a person comes to you and tells you, they are entitled by the GDPR to have their personal data deleted. As of that moment, you're responsible to delete the data. If you cannot guarantee for the deletion, you're in in trouble.